Skip to content

[CVE-2020-8625] ZDI-CAN-12302: ISC BIND TKEY Query Heap-based Buffer Overflow Remote Code Execution Vulnerability

CVE-specific actions

  • Assign a CVE identifier
  • Determine CVSS score
  • Determine the range of BIND versions affected (including the Subscription Edition)
  • Determine whether workarounds for the problem exists
  • Prepare a detailed description of the problem which should include the following by default:
    • instructions for reproducing the problem (a system test is good enough)
    • explanation of code flow which triggers the problem (a system test is not good enough)
  • Prepare a private merge request containing the following items in separate commits:
    • a test for the issue (may be moved to a separate merge request for deferred merging)
    • a fix for the issue
    • documentation updates (CHANGES, release notes, anything else applicable)
  • Ensure the merge request from the previous step is reviewed by SWENG staff and has no outstanding discussions
  • Ensure the documentation changes introduced by the merge request addressing the problem are reviewed by Support and Marketing staff
  • Prepare backports of the merge request addressing the problem for all affected (and still maintained) BIND branches (backporting might affect the issue's scope and/or description)
  • Prepare a standalone patch for the last stable release of each affected (and still maintained) BIND branch

Release-specific actions

  • Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle: isc-private/bind9#34
  • Reserve a block of CHANGES placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
  • Ensure the merge requests containing CVE fixes are merged into security-* branches in CVE identifier order

As reported to ISC Security Officer:

ZDI-CAN-12302: ISC BIND TKEY Query Heap-based Buffer Overflow Remote Code Execution Vulnerability

-- CVSS -----------------------------------------

8.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: ISC - BIND

-- VULNERABILITY DETAILS ------------------------

  • Version tested:9.16.9
  • Installer file:bind-9.16.9.tar.xz
  • Platform tested:ubuntu 20.04.1 desktop edition

Analysis

the bug is CVE-2006-5989, ISC did not merge the patch
https://bugzilla.redhat.com/show_bug.cgi?id=206736

it leads to heap overflow off-by-4
it affected the latest Current-Stable, 9.16.9
it require the tkey-gssapi-keytab config in named.conf
static int
der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
...
	data->components = malloc(len * sizeof(*data->components));
	if (data->components == NULL) {
		return (ENOMEM);
	}
	data->components[0] = (*p) / 40;
	data->components[1] = (*p) % 40;   <--- (1) two element is written
	--len;                                                     <--- (2) but len is plus one only
	++p;
	for (n = 2; len > 0U; ++n) {
		unsigned u = 0;

		do {
			--len;
			u = u * 128 + (*p++ % 128);
		} while (len > 0U && p[-1] & 0x80);
		data->components[n] = u;         <--- (3) off-by-4
	}
...
	return (0);
}

debug log

(gdb) b *0x18E27E+0x7fb83fd83000
Breakpoint 1 at 0x7fb83ff1127e
(gdb) b *0x18E309+0x7fb83fd83000
Breakpoint 2 at 0x7fb83ff11309
(gdb) c
Continuing.
[Switching to Thread 0x7fb83d1f8700 (LWP 77138)]

Thread 2 "isc-net-0000" hit Breakpoint 1, 0x00007fb83ff1127e in ?? () from /lib/x86_64-linux-gnu/libdns.so.1601
(gdb) x/i $pc
=> 0x7fb83ff1127e:      call   0x7fb83fdab5d0 <malloc@plt>
(gdb) i r $rdi
rdi            0x28                40
(gdb) ni
0x00007fb83ff11283 in ?? () from /lib/x86_64-linux-gnu/libdns.so.1601
(gdb) x/30xg $rax-0x10
0x7fb82c0164b0: 0x0000000000000000      0x0000000000000035
0x7fb82c0164c0: 0x00007fb82c016650      0x0000000000000000
0x7fb82c0164d0: 0x0000000000000000      0x0000000000000000
0x7fb82c0164e0: 0x0000000000000000      0x0000000000000025
0x7fb82c0164f0: 0x00007fb82c016230      0x00007fb83f55fc20
0x7fb82c016500: 0x0000000000000000      0x0000000000000025
0x7fb82c016510: 0x00007fb82c016530      0x00007fb82c0008d0
0x7fb82c016520: 0x0000000000000000      0x0000000000000025
0x7fb82c016530: 0x0000000000000000      0x00007fb82c0008d0
0x7fb82c016540: 0x0000000000000000      0x00000000000000b5
0x7fb82c016550: 0x00007fb82c015120      0x00007fb82c0008d0
0x7fb82c016560: 0x0000000000000000      0x00000000ffffffff
0x7fb82c016570: 0x0000000000000000      0x0000000000000000
0x7fb82c016580: 0x0000000000000000      0x0000000000000000
0x7fb82c016590: 0x0000000000000000      0x0000000000000000
(gdb) c
Continuing.

Thread 2 "isc-net-0000" hit Breakpoint 2, 0x00007fb83ff11309 in ?? () from /lib/x86_64-linux-gnu/libdns.so.1601
(gdb) x/i $pc
=> 0x7fb83ff11309:      mov    DWORD PTR [rax+rcx*4],edi                        // overwrite next chunk header
(gdb) x/xg $rax+$rcx*4
0x7fb82c0164e8: 0x0000000000000025
(gdb) bt
#0  0x00007fb83ff11309 in ?? () from /lib/x86_64-linux-gnu/libdns.so.1601
#1  0x00007fb83ff1144a in ?? () from /lib/x86_64-linux-gnu/libdns.so.1601
#2  0x00007fb83ff11a2d in gss_accept_sec_context_spnego () from /lib/x86_64-linux-gnu/libdns.so.1601
#3  0x00007fb83ff1d083 in dst_gssapi_acceptctx () from /lib/x86_64-linux-gnu/libdns.so.1601
#4  0x00007fb83feb65cd in dns_tkey_processquery () from /lib/x86_64-linux-gnu/libdns.so.1601
#5  0x00007fb83ffcf27f in ns_query_start () from /lib/x86_64-linux-gnu/libns.so.1601
#6  0x00007fb83ffb2131 in ns.client_request () from /lib/x86_64-linux-gnu/libns.so.1601
#7  0x00007fb83fce2b26 in ?? () from /lib/x86_64-linux-gnu/libisc.so.1601
#8  0x00007fb83fce33cd in ?? () from /lib/x86_64-linux-gnu/libisc.so.1601
#9  0x00007fb83fcdf74c in ?? () from /lib/x86_64-linux-gnu/libisc.so.1601
#10 0x00007fb83f470b01 in ?? () from /lib/x86_64-linux-gnu/libuv.so.1
#11 0x00007fb83f471638 in ?? () from /lib/x86_64-linux-gnu/libuv.so.1
#12 0x00007fb83f476ae0 in uv.io_poll () from /lib/x86_64-linux-gnu/libuv.so.1
#13 0x00007fb83f4667ac in uv_run () from /lib/x86_64-linux-gnu/libuv.so.1
#14 0x00007fb83fcdec2d in ?? () from /lib/x86_64-linux-gnu/libisc.so.1601
#15 0x00007fb83f7b4609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#16 0x00007fb83f6d5293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb) c
Continuing.

Thread 3 "isc-net-0001" received signal SIGABRT, Aborted.
[Switching to Thread 0x7fb83c8b6700 (LWP 77139)]
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb)

-- CREDIT --------------------------------------- This vulnerability was discovered by: Anonymous working with Trend Micro Zero Day Initiative

Edited by Michał Kępień
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information